While it says it has no reason to think there are backdoors in any of its products, Cisco has started an additional code review looking for “malicious modifications” after Juniper’s announcement that its ScreenOS operating system has been vulnerable for years.
“Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience,” according to the Cisco Security blog written by Anthony Grieco, senior director of the company’s Security and Trust Organization. The company says it will release its findings in accordance with its security vulnerability policy.
+More on Network World: Juniper NetScreen firewall should be patched now+
Juniper’s problem is within its Screen OS operating system, which is confined to some Juniper products, but Cisco has been mentioned in speculation about how ScreenOS was corrupted.
Documents stolen by Edward Snowden said the NSA had backdoored Juniper gear, as well as Cisco gear. Speculation that the unauthorized code Juniper was patching was placed there by the NSA led some to wonder whether the documents’ assertions about Cisco were true. Grieco says the company has received questions from customers related to the Juniper breach.
“We have seen none of the indicators discussed in Juniper’s disclosure,” he writes. He says the company employs rigorous development practices, and that code is scrutinized by Cisco engineers, third-party researchers and customers. “Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk.”
Grieco says Cisco has a no-backdoor policy which bans undisclosed means to access devices, hardcoded or undocumented access credentials, covert communications channels and undocumented diversion of traffic.
+More on Network World: U.S. still No. 1 for unsecured security cameras+
The additional review was entirely Cisco’s idea, he writes, “We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request.” If it receives credible reports about possible issues, it will investigate them and disclose its findings if they have implications for customers.